Posts tagged Security Strategy

3 min Penetration Testing

Password Tips From a Pen Tester: Common Patterns Exposed

Welcome back to Password Tips From a Pen Tester. Last time, I talked about what you can expect to learn from these posts and I also explained the three most common passwords that we see on penetration tests [/2018/05/10/password-tips-from-a-pen-tester-3-passwords-to-eliminate/]. This month, let’s take a look at how that kind of information is helpful on a penetration test [https://www.rapid7.com/fundamentals/penetration-testing/], and correlate what we know to actual data collected. When my co

4 min Research

2018 National Exposure Index Research Report: Internet Security Posture by Country

Today, I’m happy to announce that Rapid7 has released our third annual National Exposure Index (NEI) [https://www.rapid7.com/info/national-exposure-index/], a state of the internet report focusing on where in the world the most exposure is presented on the internet. I’m pretty pleased with how this year’s NEI turned out, primarily thanks to some overhauling we’ve done on the scoring algorithm that ranks countries. In fact, let’s get into that now. What the National Exposure Index Measures With

4 min Penetration Testing

Password Tips From a Pen Tester: 3 Passwords to Eliminate

Every week, Rapid7 conducts penetration testing services [https://www.rapid7.com/services/penetration-testing-services/] for organizations that cracks hundreds—and sometimes thousands—of passwords. Our current password trove has more than 500,000 unique passwords that have been collected over the past two years. Where do these come from? Some of them come from Windows domain controllers and databases such as MySQL or Oracle; some of them are caught on the wire using Responder [https://github.com

4 min CIS Controls

Critical Control 16: Account Monitoring and Control (ain’t nobody got time for that!)

This is a continuation of our CIS critical security controls blog series [/2017/04/19/the-cis-critical-security-controls-series/], which provides educational information regarding the control of focus as well as tips and tricks for consideration. See why SANS listed Rapid7 as the top solution provider addressing the CIS top 20 controls [https://www.rapid7.com/solutions/compliance/critical-controls/]. What is CIS Critical Control 16? In the world of InfoSec, the sexy stuff gets all the attention

3 min CIS Controls

CIS Critical Security Control 15 Explained: Wireless Access Control – Are You Really Managing Your WiFi?

This is a continuation of our CIS critical security controls blog series [/2017/04/19/the-cis-critical-security-controls-series/]. See why SANS listed Rapid7 as the top solution provider addressing the CIS top 20 controls [https://www.rapid7.com/solutions/compliance/critical-controls/]. Decades ago, your network was a collection of routers, firewalls, switches, wall ports, and what seemed like a million miles of cable. The only way for your employees and guests to access it was to be seated nea

5 min InsightIDR

How to Identify Attacker Reconnaissance on Your Internal Network

The most vulnerable moment for attackers is when they first gain internal access to your corporate network. In order to determine their next step, intruders must perform reconnaissance to scout available ports, services, and assets from which they can pivot and gain access to customer databases, credit card data, source code, and more. These initial moments are arguably your best opportunities to catch attackers before critical assets are breached, but unfortunately, it can be very challenging t

5 min CIS Controls

CIS Critical Control 14 Explained: Controlled Access Based on the Need to Know

This is a continuation of our CIS critical security controls blog series [/2017/04/19/the-cis-critical-security-controls-series]. See why SANS listed Rapid7 as the top solution provider addressing the CIS top 20 controls. Let’s start with some simple, yet often unasked questions. Do you know what critical assets—information and data, applications, hardware, SCADA systems, etc.—exist in your organization’s network? Do you have a data classification policy? Who defines the criticality of systems

2 min Security Strategy

Just a little more may be all you need for great security

The following is a guest post from Kevin Beaver. See all of Kevin’s guest writing here [/author/kevinbeaver]. Thomas Edison once said that many of life's failures are experienced by people who did not realize how close they were to success when they gave up. Thinking about this in the context of security, the success that you're looking for could just be a day's worth of work away. Or, maybe just a few weeks’ worth. But how do you know? Will you be able to figure that out without falling into t

3 min CIS Controls

CIS Critical Security Control 13: Data Protection Explained

This is a continuation of our CIS critical security controls blog series [/2017/04/19/the-cis-critical-security-controls-series]. Data protection is one of the cornerstones of a solid security program, and it is a critical function of the CIA Triad of Confidentiality, Integrity, and Availability. Data protection, as characterized by Critical Control 13, is essentially secure data management. What do we mean by that? What is CIS Critical Security Control 13? Secure data management encompasses c

3 min InsightVM

Where the sidewalk ends, extend!

Back in the day, I had the pleasure of working in an environment that made heavy use of mainframes. These hulking beasts of yesteryear were workhorses, toting VSAM files hither and thither. One of the treats of the day was the abend. For the uninitiated, IEEE [http://ieeexplore.ieee.org/document/5733835/] defines abend as the “Termination of a process prior to completion.” The mere utterance of the portmanteau [https://en.wikipedia.org/wiki/Portmanteau] abend meant we had a crisis on our hands.

4 min CIS Controls

CIS Critical Control 12: Boundary Defense Explained

This blog is a continuation of our blog series on the CIS Critical Controls [/2017/04/19/the-cis-critical-security-controls-series/]. Key Principle: Detect/prevent/correct the flow of information transferring networks of different trust levels with a focus on security-damaging data. What Is It? Boundary defense is control 12 [https://www.cisecurity.org/controls/boundary-defense/] of the CIS Critical Controls [https://www.rapid7.com/solutions/compliance/critical-controls/] and is part of the ne

3 min Vulnerability Management

Cisco Smart Install (SMI) Remote Code Execution: What You Need To Know

What’s Up? Researchers from Embedi discovered [https://web.archive.org/web/20180828224625/https://embedi.com/blog/cisco-smart-install-remote-code-execution/] (and responsibly disclosed) a stack-based buffer overflow weakness in Cisco Smart Install Client code which causes the devices to be susceptible to arbitrary remote code execution without authentication. Cisco Smart Install (SMI) is a “plug-and-play” configuration and image-management feature that provides zero-touch deployment for new (t

6 min CIS Controls

CIS Critical Control 11: Secure Configurations for Network Devices

This blog is a continuation of our blog series on the CIS Critical Controls [/2017/04/19/the-cis-critical-security-controls-series/]. We’ve now passed the halfway point in the CIS Critical Controls. The 11th deals with Secure Configurations for Network Devices. When we say network devices, we’re referring to firewalls, routers, switches, and network IDS [https://en.wikipedia.org/wiki/Intrusion_detection_system] setups specifically, but many of these concepts can and should be applied to DHCP/DN

2 min Security Strategy

Cavete Symantec Testimonium Exspirare Martiis (Beware the Symantec Certificates Expiring in March)

This is a follow-up post to our December 2017 gift certificate [/2017/12/27/forget-the-presents-haxmas-is-all-about-the-gift-certificates/] piece discussing the 2018 schedule for distrust of Symantec certificates [https://security.googleblog.com/2017/09/chromes-plan-to-distrust-symantec.html] by Chrome and Firefox browsers. The Ides of March [https://en.wikipedia.org/wiki/Ides_of_March] have come and gone and (as promised) we decided to see whether sites have heeded the sooth-sayings of Googl

3 min Vulnerability Management

Rapid7 Named a Leader in Forrester Wave for Vulnerability Risk Management

Today, we’re excited to announce a major milestone for InsightVM [https://www.rapid7.com/products/insightvm/]: Recognition as a Leader in The Forrester Wave™: Vulnerability Risk Management, Q1 2018, earning top scores in both the Current Offering and Strategy categories. We are proud of the achievement not only because of years of hard work from our product team, but also because we believe that it represents the thousands of days and nights spent working with customers to understand the challen